ID

VAR-202012-1527

CVE

CVE-2020-1971

TITLE

Debian Security Advisory 4807-1

DESCRIPTION

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20201208.txt For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u4. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/PmNRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SrxA//cDd0JVO9bdkBLrjg3bh2ibaL7rZxWM2kDOZxQ9dTyuNKHXpk72EQN7bo YzYUOphu8Pea/v2E2bA0VzKka56lu1zmA1r2xXyZoK3YWoyVAdQe/AbrsNZh+k5U iZ9U5VeBNmb78vZqalFnecZBAhmPBmFKmE4yc7qhj+G1XGO+/yuRL8sBGpK3WKDX dj31X8+YlEfidj9LKj0mER1XpjaE7soWnmlFA8vI/cjBLnvWo4MyXUbicW2r028C KB/ACbp5BzXiZkcv45Dmk73Wp2GtMPamF3iL6VBNkEy5cBXvvD+WQCJLr87w+zHr Abvfz8UXvJnsD/qP7nEuQkMBDiZPeCIOe1lGtiNtU0oeDn1i9akVZ3pEtOf3azJ+ ZQRrxPY+qwWRenuf2CLBUzIzWh+9wUy3ZIOxSycBoqn1xN//EaZ38PNLpiYl2llM 1RyuvMn7jMo5Ow6keJ7ohIfY0FD3LNJId5Sf4EPfJHy/EAe/qSf+/WXXvLQAlMdg 0zkzBXSCHPlhOm4NgF+LuGqpyd10OK6O7C1eo2xejylohV1UJUXU+2CQfa2HQ0o4 eV5aYOsVEBPBIxedCd/XyVNCPrStetLhdP8kjASznPkIKcw1L7GW0SongEt6+7T+ csanRpBW+PoDRofOjop+zTAFesQLt/q7w2sjZCg2Wj/hEN6PeCs= =eV7T -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.9 security and bug fix update Advisory ID: RHSA-2020:5614-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:5614 Issue date: 2020-12-21 CVE Names: CVE-2020-1971 CVE-2020-8177 CVE-2020-15862 CVE-2020-16166 CVE-2020-27836 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.9 is now available with updates to packages and images that fix several bugs and add enhancements. This release also includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator (CVE-2020-27836) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.9. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2020:5615 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html This update fixes the following bugs among others: * Previously, pre-flight installer validation for OpenShift Container Platform on OpenStack was performed on the flavor metadata. This could prevent installations to flavors detected as `baremetal`, which might have the required capacity to complete the installation. This is usually caused by OpenStack administrators not setting the appropriate metadata on their bare metal flavors. Validations are now skipped on flavors detected as `baremetal`, to prevent incorrect failures from being reported. (BZ#1889416) * Previously, there was a broken link on the OperatorHub install page of the web console, which was intended to reference the cluster monitoring documentation. (BZ#1904600) You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-x86_64 The image digest is sha256:43d5c84169a4b3ff307c29d7374f6d69a707de15e9fa90ad352b432f77c0cead (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-s390x The image digest is sha256:3d77e9b0fd14a5c4d50995bbb17494a02f27a69f2ffa9771b29d112fe084699f (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-ppc64le The image digest is sha256:0975188e83f8688f97180b408a447b41f492ee35d1dacd43a826b14db7d486e5 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor. 3. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1885442 - Console doesn't load in iOS Safari when using self-signed certificates 1885946 - console-master-e2e-gcp-console test periodically fail due to no Alerts found 1887551 - Unsupported access mode should not be available to select when creating pvc by aws-ebs-csi-driver(gp2-csi) from web-console 1888165 - [release 4.6] IO doesn't recognize namespaces - 2 resources with the same name in 2 namespaces -> only 1 gets collected 1888650 - Fix CVE-2015-7501 affecting agent-maven-3.5 1888717 - Cypress: Fix 'link-name' accesibility violation 1888721 - ovn-masters stuck in crashloop after scale test 1890993 - Selected Capacity is showing wrong size 1890994 - When the user clicked cancel at the Create Storage Class confirmation dialog all the data from the Local volume set goes off 1891427 - CLI does not save login credentials as expected when using the same username in multiple clusters 1891454 - EgressNetworkPolicy does not work when setting Allow rule to a dnsName 1891499 - Other machine config pools do not show during update 1891891 - Wrong detail head on network policy detail page. 1896149 - TLS secrets are not able to edit on console. 1896625 - with Serverless 1.10 version of trigger/subscription/channel/IMC is V1 as latest 1897019 - "Attach to Virtual Machine OS" button should not be visible on old clusters 1897766 - [release-4.6]Incorrect instructions in the Serverless operator and application quick starts 1898172 - installer missing permission definitions for TagResources and UntagResources when installing in existing VPC 1898302 - E2E test: Use KUBEADM_PASSWORD_FILE by default 1898746 - opm index add cannot batch add multiple bundles that use skips 1899056 - Max unavailable and Max surge value are not shown on Deployment Config Details page 1899382 - Remove TechPreview Badge from Eventing in Serverless version 1.11.0 1899728 - overview filesystem utilization of OCP is showing the wrong values 1901110 - pod donut shows incorrect information 1901871 - catalog-operator repeatedly crashes with "runtime error: index out of range [0] with length 0" 1901877 - linuxptp-daemon crash when enable debug log level [release-4.6] 1902029 - [sig-builds][Feature:Builds][valueFrom] process valueFrom in build strategy environment variables should successfully resolve valueFrom in docker build environment variables 1904014 - (release 4.6) Hostsubnet gatherer produces wrong output 1904028 - [release-4.6] The quota controllers should resync on new resources and make progress 1904065 - [release 4.6] [Openstack] HTTP_PROXY setting for NetworkManager-resolv-prepender not working 1904260 - VPA-operator has version: 1.0.0 every build 1904583 - Operator upgrades can delete existing CSV before completion 1904600 - Cluster monitoring documentation link is broken - 404 not found 1905004 - Use new packages for ipa ramdisks 1905230 - Multus errors when cachefile is not found 1905619 - [4.6.z] usbguard extension fails to install because of missing correct protobuf dependency version 1905622 - [Platform] Remove restriction on disk type selection for LocalVolumeSet 1905746 - Subscription manual approval test is flaky 1905903 - Rules in kube-apiserver.rules are taking too long and consuming too much memory for Prometheus to evaluate them 1906267 - CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator 1906416 - Errant change to lastupdatetime in copied CSV status can trigger runaway csv syncs 5. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-15862 https://access.redhat.com/security/cve/CVE-2020-16166 https://access.redhat.com/security/cve/CVE-2020-27836 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX+ClD9zjgjWX9erEAQhC0g/+Luia38AeI9BuO6wyp7Q/zJjPuBKxO+X+ cBx7i8wMWAZZ0Ex/pLDxskKsiz1nYfiCqjph0SohyIe/jfz8ePdB2LrKyDmLP3Pt mknjH68WMZb571RngH1aO+7TzLjrJC9VgWOBlJPii6pt8p74I8ybBtExgchwnLv4 nsyGEmhvylqFDo4ARnF+do/FwKvL1gxDHqtD6gCRfJBx8XUi34WVWpCIXfAkz9mU DrJQ0ib9KJFrzX7s1Sipci4IUfMyW3fmhRvmLU3GXblB/KhCafXWhRuetoQUoUBm DHFdqW6mOm3G2A9yRfqfDf8XZmxmcqu8rTjeQGnH9B4oi3Id7dXrcmpXnX/6LyCY 3nAUg/olKaWSOf5B92dWnS7wrJGDHq17qlKVppRHQy4lXaJ/yKIx3TLLxc/pop+u qgpViJW0qusOXcYuFcVbvXaEZ9HPnpOFZVGiW6xCCsoeJQHnm3WkzUbp8d33LkQ3 +aMxEUtXN34lRTuCC2pK+N9bKTBD8tFxqnVx4GcUZL9nrwNXJGqmGJU1ol0Gszyl +Z59xqXfbKzZuAXr+6+n0xjzojzAlQ/0lOXgrroBAHxmyBKSEino16TNazm8Rbf6 qFC3igMh+XNOs+8aXwoPEm/Gw3hI/2iiypK/2NXeR+GKBY7liCYg4cMvviwS0WpR 9Udm1+DfTgI=WIGA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Package List: Red Hat Enterprise Linux Server AUS (v. 7.2): Source: openssl-1.0.1e-52.el7_2.src.rpm x86_64: openssl-1.0.1e-52.el7_2.x86_64.rpm openssl-debuginfo-1.0.1e-52.el7_2.i686.rpm openssl-debuginfo-1.0.1e-52.el7_2.x86_64.rpm openssl-devel-1.0.1e-52.el7_2.i686.rpm openssl-devel-1.0.1e-52.el7_2.x86_64.rpm openssl-libs-1.0.1e-52.el7_2.i686.rpm openssl-libs-1.0.1e-52.el7_2.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 6 packages that are part of the JBoss Core Services offering. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1914774 - CVE-2021-20178 ansible: user data leak in snmp_facts module 1915808 - CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured values 1916813 - CVE-2021-20191 ansible: multiple modules expose secured values 1925002 - CVE-2021-20228 ansible: basic.py no_log with fallback option 1939349 - CVE-2021-3447 ansible: multiple modules expose secured values 5. Bug Fix(es): * Reject certificates with explicit EC parameters in strict mode (BZ#1891541) * Add FIPS selftest for HKDF, SSKDF, SSHKDF, and TLS12PRF; add DH_compute_key KAT to DH selftest (BZ#1891542) 4. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. Bug Fix(es): * Container-native Virtualization 2.5.3 Images (BZ#1902961) 3. Bugs fixed (https://bugzilla.redhat.com/): 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1902961 - Container-native Virtualization 2.5.3 Images 5. Bugs fixed (https://bugzilla.redhat.com/): 1810470 - [Flake] volume expansion tests occasionally flake with EBS CSI driver 1811341 - Subpath test pod did not start within 5 minutes 1814282 - Storage e2es leaving namespaces/pods around 1836931 - `oc explain localvolume` returns empty description 1842747 - Not READYTOUSE volumesnapshot instance can not be deleted 1843008 - Fix reconcilliation of manifests for 4.6 channel for LSO 1850161 - [4.6] the skipVersion should exactly match regex in art.yaml 1852619 - must-gather creates empty files occasionally 1866843 - upgrade got stuck because of FailedAttachVolume 1867704 - cluster-storage-operator needs to grant pod list/watch permissions to aws operator 1867757 - Rebase node-registrar sidebar with latest version 1871439 - Bump node registrar golang version 1871955 - Allow snapshot operator to run on masters 1872000 - Allow ovirt controller to run on master nodes 1872244 - [aws-ebs-csi-driver] build fails 1872290 - storage operator does not install on ovirt 1872500 - Update resizer sidecar in CSI operators to use timeout parameter than csiTimeout 1873168 - add timeout parameter to resizer for aws 1877084 - tune resizer to have higher timeout than 2mins 1879221 - [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress 1881625 - replace goautoreneg library in LSO 1886640 - CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 1888909 - Placeholder bug for OCP 4.6.0 rpm release 1889416 - Installer complains about not enough vcpu for the baremetal flavor where generic bm flavor is being used 1889936 - Backport timecache LRU fix 1894244 - [Backport 4.6] IO archive contains more records of than is the limit 1894678 - Installer panics on invalid flavor 1894878 - Helm chart fails to install using developer console because of TLS certificate error 1895325 - [OSP] External mode cluster creation disabled for Openstack and oVirt platform 1895426 - unable to edit an application with a custom builder image 1895434 - unable to edit custom template application 1897337 - Mounts failing with error "Failed to start transient scope unit: Argument list too long" 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1898178 - [OVN] EgressIP does not guard against node IP assignment 1899266 - [4.6z] Baremetal IPI with IPv6 control plane: nodes respond with duplicate packets to ICMP6 echo requests 1899622 - [4.6z] configure-ovs.sh doesn't configure bonding options 1900736 - [SR-IOV] Backport request to SR-IOV operator version 4.6 - SriovNetworkNodePolicies apply ignoring the spec.nodeSelector. 1900792 - Track all resource counts via telemetry 1901736 - additionalSecurityGroupIDs not working for master nodes 1903353 - Etcd container leaves grep and lsof zombie processes 1905947 - [Internal Mode] Object gateway (RGW) in unknown state after OCP upgrade. 1906428 - [release-4.6]: When using webhooks in OCP 4.5 fails to rollout latest deploymentconfig 1906723 - File /etc/NetworkManager/system-connections/default_connection.nmconnection is incompatible with SR-IOV operator 1906836 - [sig-arch][Early] Managed cluster should start all core operators: monitoring: container has runAsNonRoot and image has non-numeric user (nobody) 1907203 - clusterresourceoverride-operator has version: 1.0.0 every build 1908472 - High Podready Latency due to timed out waiting for annotations 1908749 - [GSS] Unable to deploy OCS 4.5.2 on OCP 4.6.1, cannot `Create OCS Cluster Service` 1908803 - [OVN] Network Policy fails to work when project label gets overwritten 1908847 - [4.6.z] RHCOS 4.6 - Missing Initiatorname 1909062 - ARO/Azure: excessive pod memory allocation causes node lockup 1909248 - Intermittent packet drop from pod to pod 1909682 - When scaling down the status of the node is stuck on deleting 1909990 - oVirt provider uses depricated cluster-api project 1910066 - OpenShift YAML editor jumps to top every few seconds 1910104 - [oVirt] Node is not removed when VM has been removed from oVirt engine 1911790 - [Assisted-4.6] [Staging] reduce disk speed requirement for test/dev environments 1913103 - Placeholder bug for OCP 4.6.0 rpm release 1913105 - Placeholder bug for OCP 4.6.0 metadata release 1913263 - [4.6] Unable to schedule a pod due to Insufficient ephemeral-storage 1913329 - [Assisted-4.6] [Staging] Installation fails to start 1914988 - [4.6.z] real-time kernel in RHCOS is not synchronized 1915007 - Fixed by revert -- Upgrade to OCP 4.6.9 results in cluster-wide DNS and connectivity issues due to bad NetworkPolicy flows 5. 8.2) - aarch64, ppc64le, s390x, x86_64 3

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

overflow

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-06T20:16:24.743000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE